setup.tf
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "3.74.1"
}
}
backend "s3" {
region = "eu-west-2"
bucket = "statefiles"
key = "tsg/plan-apply.tfstate"
dynamodb_table = "tsg-plan-apply-lockfiles"
}
}
variables.tf
variable "regionName"{
description = "Key for looking up region code"
type = string
default = "London"
}
variable "aws_region" {
type = map # Note! TF variable type lower case
default = {
"Dublin" = "eu-west-1"
"London" = "eu-west-2"
"Broadway" = "eu-west-6"
}
}
resource "aws_ssm_parameter" "regioncode" {
name = "region_code"
type = "String" # NOTE! Quotes + Capital - AWS resource Type
value = var.aws_region[var.regionName]
}
variable "iterator" {
type = number # NOTE! just word for Terraform var type
default = 1
description = "iterator"
}
variable "cidr_blocks" {
description = "CIDR blocks"
type = list(string)
default = [
"192.168.100.0/24",
"192.168.101.0/24",
"192.168.102.0/24",
]
}
resource "aws_ssm_parameter" "cidr_block" {
name = "CIDR_block"
type = "String"
value = var.cidr_blocks[var.iterator] # 0 is 1st position
}
data-variables.tf
data "aws_iam_policy" "common_pb" {
name = "pb-Common"
}
resource "aws_ssm_parameter" "permissionsboundary" {
name = "PermissionsBoundaryARN"
type = "String"
value = data.aws_iam_policy.common_pb.arn
}
parameters.tf
resource "aws_ssm_parameter" "just_a_parameter" {
name = "just_a_parameter"
type = "String"
description = "Just a test"
tags = {
email = "andrew.2.stringer@bt.com"
}
value = "random_value"
}
resource "aws_ssm_parameter" "CentosSecureRepoSourceBucket" {
name = "CentosSecureRepoSourceBucket"
type = "String"
value = jsonencode(file("buckets.json"))
}
buckets.json
{
"secure_repo_centos": "centos-repo-development",
"secure_repo_rocky": "rocky_secure_repo_bucket",
"secure_repo_ubuntu": "ubuntu-secure-repo-bucket"
}
copy_file.py
import json import boto3 # Paths to parameters in Parameter store. Parameter_source_bucket = 'CentosSecureRepoSourceBucket' def read_parameter(parameter): parameter_client = boto3.client('ssm') if not parameter: sys.exit("read_parameter variable 'parameter' is not set, so exiting.") parameter_response = parameter_client.get_parameter( Name=parameter, ) if not parameter_response: sys.exit("Parameter Store value is not set, so exiting.") logger.debug('Value of %s is %s', parameter, parameter_response['Parameter']['Value']) return parameter_response def handler(event, context): # username and filename are now invoked through event data, this will be supplied # from the cli invocation, test event example below:- """{ "filename": "1008926332-catbert.gif", "user_name": "secure_repo_centos/rocky/ubuntu (etc...)", "bucket_ref": "secure_repo_centos" }""" # Just for testing event = { "user_name": "secure_repo_ubuntu", "filename": "1008926332-catbert.gif", "bucket_ref": "secure_repo_ubuntu" } # 'bucket_ref' (from event data) is used as a key to select the value from the # returned Parameter Store dictionary. # This is done to allow a user to control which bucket is used for upload # whilst not allowing an arbitrary bucket to be specified, or allowing users access to Parameter Store. # This is designed to prevent an unauthorised bucket being used as the source. username = event['user_name'] file_to_copy = event['filename'] bucket_ref = event['bucket_ref'] source_bucket_raw = read_parameter(Parameter_source_bucket) # Parameter store returns strings, need to convert to dict. source_bucket_dict = json.loads(source_bucket_raw['Parameter']['Value']) source_bucket = source_bucket_dict[bucket_ref] print("Source Bucket is:-", source_bucket)